AWS Identity Federation


Course Introduction
Course Conclusion

Please note: this course has now been replaced with Using AWS Identity Federation to Simplify Access at Scale, which can be found here.


AWS Identity Federation is the concept of using external authorization sources to permit access to AWS Console and AWS Resources. Identity Federation comes in multiple levels that enable the use of existing directories or SAML to ensure users are accredited and authenticated to access AWS.

Intended audience

  • AWS Administrators
  • Security Engineers
  • Security Architects


  • You should review the Identity and Access Management Course
  • Have an understanding of Enterprise Identity technology such as Active Directory, LDAP; and some Open Identity Providers such as Google, Facebook, Twitter, or Amazon.

Learning Objectives

  • Understand what is Identity Federation as it relates to AWS Console Access.
  • Demonstrate the ability to set up and use Cross-Account Roles
  • Demonstrate the ability to use Simple AD for IAM authorization with Cross Account Roles
  • Understand the concepts of SAML Determine how SAML could be used for AWS Console Authorization

This Course Includes

  • 45 minutes of high-definition video
  • Live demonstration on key course concepts

What You'll Learn

  • Course Intro: What to expect from this course
  • What is Identity Federation?: This lesson defines the purpose and uses of Identity Federation
  • Types of Identity Federation: In this lesson, we’ll discuss the different ways it is used within AWS
  • Identity Federation Demos: In this lesson, we’ll walk through how to setup both Cross Account Roles using IAM User ids and using Simple AD for Authentication with Cross Account Roles
  • Course Conclusion: A wrap-up and review of the course

Hello and welcome to Cloud Academy's course on Identity Federation on AWS. This course is designed to provide you the knowledge to understand what is Identity Federation, what are the features and functions of Identity Federation, how you can Federate your login to the AWS Console, how to centrally manage AWS Console access with Cross Account Roles and directory services. This is not an introductory level course.

This is an advanced topic for a specific purpose that should be taken after you are familiar with most of the features at AWS, and have a good understanding of AWS Identity and Access Management. Before we get too far along, let me tell you a little bit about myself.

My name is Tom Lynch, and I'll be your instructor for this course. I've been in the IT industry for over 30 years. I first began working in virtualized environments in 1996, but that was in IBM Mainframe, so it was similar but different. I have been an active AWS consultant since late 2012, and earned my Solution Architect Associate in March of 2013, followed by my AWS Solution Architect Professional in November of 2015. The topics covered in this course are what is Identity Federation as it relates to AWS Console Access. Types of Federation available to AWS. How to setup and use Cross Account Roles. How to use Simple AD for IAM Authorization with Cross Account Roles. Concepts of SAML. How SAML could be used for AWS Console Authorization. Concepts of Web Federation. Demo on Cross Account Roles for Federation. Demo on Simple AD for AWS Authorization.

I will distinguish two types of Identity Federation that AWS provides. Identity Federation to your organization's Identity Store, and Identity Federation to open ID providers. I will discuss how to federate Open ID providers to an AWS Account. I will first cover Cross Account Roles. This is a technique for one AWS Account to access or manage another Account's resources with authentication being processed in the first AWS Account.

I will discuss how to use Microsoft Active Directory as your central point for authentication, with Cross Account Roles to a second AWS Account. I will cover the concepts of SAML and how SAML can be used for authentication to the AWS Console. And finally, I will discuss the use of Web Federation in a broader sense for authentication to your own applications. I will demonstrate how to setup Cross Account Roles between two AWS Accounts using basic IAM And next and finally, I will show how to use AWS Simple AD as a central authentication source for continued Console access with Cross Account Roles to grant access to the second AWS Account.

Since this is a more advanced course, and a topic I'm suggesting a few prerequisites should be completed prior to taking this course. You should review the Identity and Access Management. Identity Federation on AWS is directly tied to IAM Roles and IAM policy. It will be helpful to have an understanding of Enterprise Identity technologies, such as Active Directory, LDAP, and some Open Identity Providers, such as Google, Facebook, Twitter or Amazon. A good learning path that is helpful in this course is the Solution Architect-Associate Certification for AWS here at Cloud Academy.

About the Author

Tom an active AWS Consultant creating and deploying AWS solutions for over five years. He has worked on numerous projects that involve everything from small lean startups on a tight budget to massive commercial Enterprises that have large-scale budgets with large-scale requirements that must be met even no matter the cost. Tom has worked for several of our United States government agencies taking the agencies to the cloud by migrating solutions from on-premise data centers to the AWS cloud in a secure solution while reducing their overall cost to operate and maintain the solution.

Personally Tom spends his available time riding his bicycle, sampling a good wine or two, enjoying a good meal and watching Formula One races.